c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 13:22

Target

c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e.exe
Size

73KB
MD5

78a0054a7a6c6a91dbbc0b822e5fc4cc
SHA1

b7f1b0be1764651d81766c81bc6c4972c2fa173b
SHA256

c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e
SHA512

44df5dd2a5c4e1cf6fb3d8a76c5030e2f074e510aea80bce8b9ec5ca5a8f90307cb9414e7529eb2094b68c04e4202623d7bf1c52a7db20b399f17a1adfe695de
SSDEEP

1536:HbLRHTJCwUiK5QPqfhVWbdsmA+RjPFLC+e5hA0ZGUGf2g:HPVEw3NPqfcxA+HFshAOg

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
1704	[email protected]

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 740	4812	c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e.exe	82
PID 4812 wrote to memory of 740	4812	c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e.exe	82
PID 4812 wrote to memory of 740	4812	c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e.exe	82
PID 740 wrote to memory of 1704	740	cmd.exe	83
PID 740 wrote to memory of 1704	740	cmd.exe	83
PID 740 wrote to memory of 1704	740	cmd.exe	83
PID 1704 wrote to memory of 1672	1704	[email protected]	84
PID 1704 wrote to memory of 1672	1704	[email protected]	84
PID 1704 wrote to memory of 1672	1704	[email protected]	84

C:\Users\Admin\AppData\Local\Temp\c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e.exe
"C:\Users\Admin\AppData\Local\Temp\c7d72aa939305a1b806fbee067bdd6de011e368ed8fb292560fa29dc24d9123e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c [email protected]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\[email protected]
    [email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 00.exe
      4⤵
      PID:1672

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
9762e3ac7e7bcdf26ac23768a8f91ddc

SHA1
0bf341d46eb1cb6bad1e9ef91934a29bac243b8b

SHA256
61f78755dc57a6d07ec6b7fd1b8af5da424a6db14d38dbc992a6648f0aa559a4

SHA512
1d192177ff3063b74e7043087e73e0834c710a9b14a3aab498dd08b8ba86279c6bdbb7696da06f4180bb855f1e0a7f87079857ec764eac5495417d5951a8a4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
73KB

MD5
9762e3ac7e7bcdf26ac23768a8f91ddc

SHA1
0bf341d46eb1cb6bad1e9ef91934a29bac243b8b

SHA256
61f78755dc57a6d07ec6b7fd1b8af5da424a6db14d38dbc992a6648f0aa559a4

SHA512
1d192177ff3063b74e7043087e73e0834c710a9b14a3aab498dd08b8ba86279c6bdbb7696da06f4180bb855f1e0a7f87079857ec764eac5495417d5951a8a4a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00.exe

Filesize
2KB

MD5
7b621943a35e7f39cf89f50cc48d7b94

SHA1
2858a28cf60f38025fffcd0ba2ecfec8511c197d

SHA256
bef04c2f89dc115ce2763558933dba1767bf30cda6856d335ae68955923f9991

SHA512
4169e664ad4e7e6891a05ceed78465e0ec44879b37fc0de97c014945e10c161f6bfb040efc24edc136e69bb115b2a1327b04cefb58141f712da856129872e8f1

Download Submit